The threat actors behind the Play ransomware are estimated to have affected around 300 entities as of October 2023, according to a new joint Australian and US cyber security advisory
“Play ransomware attackers used a dual ransomware model to steal data and then encrypt systems, affecting a wide range of enterprises and critical infrastructure organizations in North and South America, Europe and Australia,” authorities said.
Play, also known as Balloonfly and PlayCrypt, emerged in 2022 and exploited security in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet devices (CVE-2018-13379 and CVE-2020-12812) flaw to attack enterprises and deploy file-encrypting malware.
It’s worth pointing out that ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing emails as the initial infection vector, jumping from almost zero in the second half of 2022 to almost zero in the first half of 2023, according to Corvus. Nearly a third.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
Cybersecurity firm Adlumin revealed in a report last month that Play is being provided “as a service” to other threat actors, completing its transition to a ransomware-as-a-service (RaaS) operation.
The group’s orchestrated ransomware attacks are characterized by the use of public and custom tools such as AdFind to run Active Directory queries, GMER, IOBit, and PowerTool to disable antivirus software, and Grixba to enumerate network information and collect information about backup software. and remote desktop information. Management tools installed on the machine.
Threat actors have also been observed using Cobalt Strike, SystemBC, and Mimikatz for lateral movement, data exfiltration, and encryption steps for post-exploitation.
“The Play ransomware gang employs a dual extortion model, encrypting systems after stealing data,” the agencies said. “The ransom note does not include an initial ransom demand or payment instructions, but instead instructs victims to contact the threat actors via email. “
According to statistics compiled by Malwarebytes, Play allegedly claimed nearly 40 victims in November 2023 alone, but significantly lags behind its peers LockBit and BlackCat (aka ALPHV and Noberus).
A few days ago, U.S. government agencies issued the latest advisory regarding the Karakurt group, which is known to evade cyberattacks after gaining initial access to a network by purchasing stolen login credentials, compromising brokers (aka initial access brokers) Crypto-based attacks turned into pure extortion. ), phishing, and known security flaws.
“Karakurt victims did not report encryption of infected machines or files; instead, Karakurt actors claimed to have stolen data and threatened to auction or release the data to the public unless they received the requested ransom,” the government said.
Meanwhile, there is speculation that the BlackCat ransomware could be the target of a law enforcement action after its dark web leak portal went offline for five days. However, cybercriminal groups blamed the glitch on a hardware glitch.
What’s more, another nascent ransomware group called NoEscape allegedly ran an exit scam that effectively “stole the ransom and shut down the group’s network panels and data exfiltration sites,” prompting other gangs such as LockBit to recruit their former Subsidiary Body.
Whether due to external pressure from law enforcement, it’s no surprise that the ransomware landscape continues to evolve and change. This is further evidenced by the collaboration between the Bianlian, White Rabbit and Mario ransomware gangs in a coordinated extortion campaign targeting publicly traded financial services companies.
“These collaborative ransomware campaigns are rare, but may become more common due to the involvement of Initial Access Brokers (IABs) working with multiple groups on the dark web,” Resecurity said in a report released last week.
“Another factor that may lead to greater cooperation is law enforcement intervention that creates cybercriminal diaspora networks. Displaced actors in these threat actor networks may be more willing to cooperate with competitors.”